Hi Pernaman,
Old code -> -http://media.kapowtoys.co.uk/js/87baa278cc7a13254062ffccb1b52894.js
and Prototype JavaScript framework, version 1.7 with issues.
We see the NoScript alerts and any other script blocker like uMatrix for instance for
www.kapowtoys.co.uk for external links to htxp://s7.addthis.com/ that is prevented from loading by default (could lead to ads - pop-up adware etc.)
Here: Script loaded: -http://s7.addthis.com/js/300/addthis_widget.js
& -http://s7.addthis.com/static/menu.f69da47d305e6f24c64c.js
Script loaded: -http://m.addthis.com/live/red_lojson/300lo.json?9ug8tk&colc=1452673391163&si=5696096e71225ed8&uid=5696096fe3bbf8c1&pub=ra-56617886949baab4&rev=v4.1.2-wp&jsl=35&ln=en&pc=men&dp=www.kapowtoys.co.uk&of=0&uf=1&pd=0&irt=0&md=0&ct=1&tct=0&abt=0<=110&cdn=0&tl=c%3D118%2Cm%3D158%2Ci%3D178%2Cxm%3D278%2Cxp%3D280&pi=1&&rb=0&gen=100&callback=_ate.track.hsr&mk=Selling%20Generation%201%20Transformers%20and%20Action%20Figures.Buy%20Transformers.G1%20for%20sale%2CParts%20and%20Accessories%2CInstruction%20Manuals%2CBooks%2CComics%2CCybertron%2CArmada%2CGeneration%202%2CClassics%2CUniverse%202.0&uvs=5696096e5d3536e1000&chr=UTF-8&vcl=0
Script loaded: -http://s7.addthis.com/static/layers.b1bac13e042a23a22c4c.js
Some versions of prototype.js could be exploitable by XSS. The version here may not be.
66% of the trackers on this site could be protecting you from NSA snooping. Tell kapowtoys.co.uk to fix it.
Unique IDs about your web browsing habits have been insecurely sent to third parties.
On the user log-in page this is 80% for Google.
v1%3a144XXXXXX442714185 Twitter guest_id
I find 9 trackers:
www.kapowtoys.co.uk Google
Google
Google
Facebook
Twitter
media.kapowtoys.co.uk
local.adguard.com
www.mustbebuilt.co.uk www.mustbebuilt.co.ukHTTP only cookies: Warning
Requested URL:
http://www.kapowtoys.co.uk/ | Response URL: -http://www.kapowtoys.co.uk/ | Page title: Home | HTTP status code: 200 (OK) | Response size: 111,919 bytes (gzip'd) | Duration: 1,038 ms
Overview
Cookies not flagged as "HttpOnly" may be read by client side script and are at risk of being interpreted by a cross site scripting (XSS) attack. Whilst there are times where a cookie set by the server may be legitimately read by client script, most times the "HttpOnly" flag is missing it is due to oversight rather than by design.
Result
It looks like a cookie is being set without the "HttpOnly" flag being set (name : value):
frontend : aa2510754e3xxxxxxad69861db1e4d5
Unless the cookie legitimately needs to be read by JavaScript on the client, the "HttpOnly" flag should always be set to ensure it cannot be read by the client and used in an XSS attack.
DNS Issue: Check MX Records for Duplicates
WARNING: MX records duplicates (same IP address):
64.233.165.27: [alt1.aspmx.l.google.com. aspmx2.googlemail.com.]
74.125.68.27: [alt2.aspmx.l.google.com. aspmx3.googlemail.com.]
Although technically valid, duplicate MX records have no benefits and can cause confusion.
Log-in encrypted - communications not encrypted.
Reds only because IP address report is new:
http://toolbar.netcraft.com/site_report?url=http://91.192.194.88So there are some minor issues to be addressed. But as a rule I would wish every site on the world wide webs had a security record like this one.......
But they have overlooked magento security, a very serious bug in that version that could make attackers could read out all files on that website, that could lead to a session hijack. This should be patched with an upgrade to a later version of the software (2.0). How to? ->
https://magecomp.com/blog/how-to-install-magento-security-patches/polonus (volunteer website security analyst and website error-hunter)
